OK, so the StartTLS method makes a request over the default port (389) to invoke the startTLS extended operation, right? Unfortunately, when I try that I get a "protocol error" from iPlanet. I assume that means iPlanet doesn't support StartTLS. :-(

The LDAPS is what I really wanted to do anyway. Unfortunately, the -h option to ldapsearch is for host names only, not for URLs (this arg is passed unmodified to ldap_init(), which wants a hostname). Is there another way to do this with ldapsearch? I can use "openssl s_client -connect iplanethost:636" and it establishes an SSLv3 connection fine. I would rather find a way for the clients and SDK to work with this than to use a wrapper.

At 01:16 PM 8/24/00 -0700, Art Corcoran wrote:>Here are the details: >I'm using OpenLDAP 2.0 gamma on Solaris 2.7 built with "--with-tls" and OpenSSL 0.9.5. I have an iPlanet LDAP server on Win2k with a cert installed. I can ldapsearch it with SSL from the iPlanet client with no problems. I can ldapsearch it from openldap without SSL. When I try to ldapsearch it from openldap with SSL, the TLS never starts.

Do not confuse ldaps:// (LDAP over SSL) with LDAPv3's Start TLS.Start TLS is the Standard Track LDAPv3 mechanism for initiating TLS (RFC2830).ldaps:// is an vendor extension which is not documented in any RFC.